← Back to team overview

lubuntu-qa team mailing list archive

Fwd: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed from Debian sid)


Could you all verify that this problem is solved, so we can get an SRU
going? We need to act fast!


---------- Forwarded message ----------
From: Julien Lavergne <julien.lavergne@xxxxxxxxx>
Date: Thu, Sep 11, 2014 at 6:15 AM
Subject: [Bug 1301274] Re: SSL validation problem (or sync Sylpheed
from Debian sid)
To: carsrcoffins23@xxxxxxxxx

As this update should fix a security issue, I would be glad if someone
from the security team could check this update, to see if the issue is
really fixed.
I also ask for people to help in the testing, to validate the SRU.

You received this bug notification because you are a member of Lubuntu
Packages Team, which is subscribed to sylpheed in Ubuntu.

  SSL validation problem (or sync Sylpheed from Debian sid)

Status in “sylpheed” package in Ubuntu:
  Fix Released
Status in “sylpheed” source package in Trusty:
  Fix Committed

Bug description:
  SRU statement :

  * Actual sylpheed has 2 major issues :
  - Security problem (SSL certificate validation)
  - Losing mail using POP3

  The problem is that the security fix is separated into several
  commits, so it's not easy and secure to cheery pick commits, and maybe
  other commits that could be necessary and not labeled « SSL fix ».

  So, the easiest and more secure way to fix this is to take the whole
  upstream release. It will also fix the other major issue.

  Since 3.4.0 beta7 (include in trusty), the changelog to 3.4.1 is :

  Mac OS X support was improved.
  SSL certificate hostname is validated now (#167).
  The Japanese manual was modified so that IE correctly detect its
character encoding.
  The rightmost column of folder view and summary view became easier to resize.
  Appropriate columns of folder view, summary view, etc. are
auto-expanded by window resize when using GTK+ 2.14 or later.
  The initial setup dialog is now resizable.
  PGP encrypt-to-self feature was added.
  The display period of notification window became configurable.
  Win32: OpenSSL was updated to 0.9.8y.
  Win32: libpng was updated to 1.2.51.

  SSL wildcard certificate is also validated now (#167).
  The compile error with OpenSSL disabled was fixed.

  This release fixes an important bug that would lose mails when local
  mailbox was inaccessible on POP3 receiving.

  The others fixes are mininal when you compare to the 2 major fixes +
  the risk to miss something by cherry-picking commits.

  [Test Case]
  Detail of the security issue is described on the upstream bug
tracker : http://sylpheed.sraoss.jp/redmine/issues/167
  Since it's a security issue, it's not really easy to reproduce.

  Also, details about the lost of email are on upstream bug tracker

  [Regression Potential]

  I can't see any regressions. The fixes are upstream since quite some
  time, and there is no new releases fixing again those issues (no I
  assume the actual fixes are good).

  Changelog :
  sylpheed (3.4.1-0ubuntu0.1) trusty-proposed; urgency=medium

    * New upstream release
     - Fix SSL validation (LP: #1301274).
     - Fix losing mails when local mailbox is inaccessible on POP3 receiving.

   -- Julien Lavergne <gilir@xxxxxxxxxx>  Fri, 16 May 2014 15:29:20

  Debdiff is attached.

  Original report :

  Ubuntu 14.04 LTS Trusty Tahr currently only has the old Sylpheed 3.4
  beta 7:


  whereas Debian sid has the new Sylpheed 3.4 stable:


  The new Sylpheed 3.4 stable also has a security fix that Sylpheed 3.4
  beta 7 does not have, see:


  So, please update the package in Ubuntu 14.04 LTS Trusty Tahr, so that
  it will have the new Sylpheed 3.4 stable as well.

  The changelog of Sylpheed is available over there:


  It would be much appreciated.


To manage notifications about this bug go to:

Follow ups